Preparing for EU General Data Protection Regulation with Revd. Mark James
In this comprehensive presentation by Revd. Mark James, learn about the EU General Data Protection Regulation (GDPR) including its background, timeframe, key differences from the EU Data Protection Directive, scope, definitions, and objectives. Understand the enhanced documentation, privacy notices, consent rules, data breach notifications, data subject rights, obligations on data processors, territorial scope, appointment of data protection officers, and increased fines and penalties under GDPR.
Download Presentation
Please find below an Image/Link to download the presentation.
The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author. Download presentation by click this link. If you encounter any issues during the download, it is possible that the publisher has removed the file from their server.
E N D
Presentation Transcript
Welcome to Preparing for the EU General Data Protection Regulation Presented by Revd Mark James GDPRP I CIPP-E I CIPM I DPO I PCI-DSS I ISO27001 I Trainer I Prince2
Programme 80 Min overview to GDPR 10 min leg stretch 30 min Q&A
Background 1950 European Human Rights 1995 EU DP Directive 95/46 1998 DPA Live 2000 2016 The GDPR Regulation
Background Directive Regulation Uniformly applies technologically neutral THE GENERAL DATA PROTECTION REGULATION will potentially repeal and replace THE DATA PROTECTION ACT 1998
GDPR Timeframe March to April 2016 Approved text is published May 25th 2018 Becomes applicable 2016 2019 2017 2018 March 2016 - European Parliament votes on legislation 2 year transition period May 2016 Enters into force
How is the GDPR different to the EU Data Protection Directive? Principles are very similar to EU Data Protection Directive However, the GDPR contains a number of changes including: Enhanced documentation to be kept by data controllers Enhanced Privacy Notices More prescriptive rules on what constitutes consent Mandatory data breach notification requirement Enhanced Data Subject Rights New obligations on Data Processors Expanded territorial scope Appointment of Data Protection Officers Significant increase in the size of fines and penalties
The Objective Article 1 of the regulation sets out two key objectives Protection of the fundamental rights and freedoms of individual persons , in particular, the protection of personal data Protection of the principle of free movement of personal data within the EU
What is personal data? According to GDPR Personal data' means any information relating to an identified or identifiable natural person ('data subject'); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
Examples of personal data Employee bank details HR records email address Person s health data/other sensitive
What is a Data Subject? According to the Data Protection Act 1998 and GDPR A natural living person s who is the subject of personal data This does not include Deceased individuals An individual who cannot be identified or distinguished from others
What is a Data Subject? Examples: Employee / Volunteer Congregation Parishioner
What is a Data Controller? According to the Data Protection Act 1998 A person who (either alone or jointly or in common with other persons) determines the purposes for which and the manner in which any personal data are, or are to be, processed According to GDPR The natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.
What is a Data Processor? According to the Data Protection Act 1998 Any person (other than an employee of the data controller) who processes the data on behalf of the data controller. According to GDPR A natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.
What is Sensitive Personal Data? Under GDPR, the term used is Special Categories of Personal Data racial or ethnic origin political opinions religious or philosophical beliefs trade union membership physical or mental health or condition sex life or sexual orientation genetic data biometric data
6 Principles 1. Processed lawfully, fairly and in a transparent manner 2. Collected for specified, explicit and legitimate purposes 3. Adequate, relevant and limited to what is necessary 4. Accurate and, where necessary, kept up to date 5. Retained only for as long as necessary 6. Processed in an appropriate manner to maintain security 7. Accountability
Transparency Identity and contact details of Data Controller Purposes and legal basis If legitimate interests used what those legitimate interests are Retention period Individual rights under GDPR Whether a statutory or contractual requirement
The Purpose Limitation Principle Personal data shall be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes.
The Data Minimisation Principle Personal Data shall be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed. Not hold more information than is needed for the purpose(s) notified
The Accuracy Principle Personal Data shall be accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay.
The Storage Limitation Principle Personal Data shall be kept no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods for archiving purposes subject to implementation of the appropriate technical and organisational measures required by this Regulation in order to safeguard the rights and freedoms of the data subject.
The Integrity and Confidentiality Principle Personal Data shall be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.
The Integrity and Confidentiality Principle Keep secure from unauthorised or unlawful processing , accidental loss or destruction, or damage What is appropriate ? Give regard to: o Technological development o Cost of implementing the security measures o Nature, scope and context of the information in question o Harm that might result from improper use, or from accidental loss or destruction Cyber Security goes Hand in Hand with the GDPR
Legal basis for processing At least one of the conditions set out in Article 6 (1) must be met in the case of all processing of Personal Data except where a relevant exemption applies.
Consent The data subject has given his consent to the processing. Consent must be freely given, specific, informed and unambiguous . Consent must be given by a statement of consent, or a clear affirmative action Pre-ticked boxes or implicit consent are not allowed Consent may be withdrawn at any time Onus on Data Controller to demonstrate consent was given
Consent Special categories of data require additional explicit consent. These categories are extended by GDPR. This means data that are particularly sensitive in relation to fundamental rights and freedoms and deserve specific protection. They include: racial or ethnic origin political opinions religious or philosophical beliefs trade-union membership genetic data biometric data Health sex life sexual orientation
Consent Parental consent is required for children using online services GDPR sets the age of consent at 16 in the UK currently
Necessary for a contract The processing is necessary for the performance of a contract to which the data subject is a party; or for the taking of steps at the request of the Data Subject with a view to entering into a contract Likely to be interpreted very narrowly
Legal obligations The processing is necessary to comply with any legal obligation to which the data controller is subject, other than an obligation imposed by contract
Vital interests The processing is necessary in order to protect the vital interests of the data subject or another person where the data subject is incapable of giving consent.
Public interest The processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
Legitimate interests The processing is necessary for the purposes of legitimate interests pursued by Data Controller or Third Party except where overridden by Data Subject interests, rights and freedoms
Legal basis for processing Under GDPR, the requirement to have documentary evidence of your legal basis for processing is significantly enhanced You must be able to demonstrate that comprehensive data protection compliance programmes, with policies, procedures and compliance infrastructure are in place You have risk assessed high risk data flows EU DPAs will have the right to audit
Data Subject Rights Access Rectification Erasure ( Right to be forgotten ) Restriction of processing Portability Object to processing Automated decision making, including profiling Compensation
Access A fee is no longer payable for subject access requests Information must now be supplied within 1 month Can include opinions, voice recordings and manual records Very few exemptions
Rectification An individual has the right to have inaccurate data rectified without undue delay Source of issue needs to be investigated Each case must be judged on its merits
Erasure (Right to be forgotten) The right to be forgotten Individuals will have the right to request that businesses delete their personal data in certain circumstances Examples Withdrawal of consent when consent was basis of collection No longer necessary for purposes collected No overriding legitimate grounds Each case must be judged on its merits May involve notifying third parties
Restriction of processing An individual has the right to obtain a restriction of processing when: Accuracy is contested Processing is unlawful but individual opposes deletion and requests restriction instead Data no longer needed by Data Controller but individual requires it for establishment, exercise or defence of legal claims Pending a right to object action
Data Portability The right to Data Portability Individuals will have the right to obtain a copy of their personal data from the controller in a commonly-used format and have it transferred to another controller
Object to processing An individual has the right to object to processing on the basis of their particular situation, including profiling Profiling is defined broadly and is likely to include most forms of online tracking and behavioural advertising Data Controller is obliged to consider the request but not necessarily comply Data Controller must respond with justifications for decision An individual has the right to object to direct marketing
Automated decision making, including profiling Individuals have the right to object to significant decisions, including profiling, made solely by automated means Exceptions: Necessary for entering into or performance of contract Authorised by Union or Member State Law Individual s explicit consent
Compensation Individuals have a right to claim compensation for damages caused by infringement of the Regulation from the Data Controller or Data Processor
What constitutes a transfer of Personal Data? Personal Data is considered to be transferred across borders when: It is physically transferred across borders OR It is accessed across borders Example: Support agent in India who is given access to a physical device located in UK which contains Personal Data is considered a transfer by EU Data Protection Authorities